Cert error in chrome and firefox on ios

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rickscs.com

I ran this command:

It produced this output:

My web server is (include version): nginx - reverse proxy

The operating system my web server runs on is (include version): unbuntu 20.04

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

on my iphone, i have chrome and firefox. When browsing my website (rickscs.com), I get a cert error. on the same device, safari says the cert is good. Desktop browsers in windows also show the cert good. There are many domains going through this proxy server and all the others show good in chrome on my phone. only the one domain has this issue...


can you try nginx -T (captal T)
you site doesn't reply on https at all, openssl s_client to your site says it didn't sent anything for TLS handshake.
tcp looks open though. maybe nginx passthough tls but nothing behind that proxy?

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 303 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

@com-guy I am not seeing the same error as @orangepizza but I do see something odd. I was alerted to it by SSL Server Test: rickscs.com (Powered by Qualys SSL Labs)

Note the warning for TLS 1.2. It means a browser that uses TLS 1.2 but does not use SNI or uses the wrong host name will get the wrong certificate. Specifically, the one for copelanddevelopment.com.

I recreated this doing this:

openssl s_client -connect rickscs.com:443 -servername fakeNoSNI 

above returned cert for copeland
but this returns correct cert for rickscs.com:

openssl s_client -connect rickscs.com:443 -servername rickscs.com

THAT SAID, the puzzling thing to me is I thought any browser that could do TLS 1.2 would also be SNI capable. So, maybe this is false alarm.

What is the version of your iPhone and what versions of chrome and/or firefox are you seeing the error?


I checked again that I now can get connected too. maybe OP fixed other side?


First time doing TLS via reverse proxy?

1 Like

@MikeMcQ Note that OpenSSL also has the option -noservername so it'll omit the SNI extension altogether.


Yes, thanks. Noting it requires minimum openssl 1.1.1 (IIRC)

And, @com-guy, I "buried the lede" in my previous post but I think we are all curious about your versions of chrome and firefox and your iPhone. And, the details of the "cert error".


I haven't changed anything for that site. I've added a couple new sites through the proxy and they also work as expected.

This is my first time setting up a reverse proxy. The proxy itself is pretty simple. It's the ssl part that I struggle with. I guess I just don't understand how it works well enough to diagnose it....

iPhone 12- 14.8.1
firefox - 39.0
chrome - 96.4664.53

How do I find details about the error in chrome? when clicking site information from within chrome, it says the certificate is verified, but that the site isn't secure...

that's mixed content warning, due to sites loads a image by http http://showmypc.com/images/buttons/g3.png
that site supports https, so just change image link to https version of it.


Thanks you!

1 Like

Firefox 39? From 2015 by my googling. You should update that. Firefox ships with its own certificate store so you are far behind.

As to chrome, I agree with what orangepizza just said


In this context I think he mean firefox for iOS, which have different versioning (as apple forces use sapari engine for browsers in iOS)
firefox(ios) 39 is just release 2th this month.


Thanks. Does firefox for iOS ship with its own CA cert store like for android? Curious


firefox was downloaded from the apple app store yesterday. surely they aren't dishing out a version from 2015....

No, orangepizza cleared that up. version 39 for android is from 2015. Same version number on iOS is recent. My bad. Of course, I did not know you just downloaded it either until just now :slight_smile: You would be surprised at the age of some things we see on this forum.


not really surprised... I had a customer bring in a PC about a month ago that he bought new in 1997 running Win 95 for repairs. It had a program on it that was discontinued and he had no installation media to install on a newer PC. He had been using the modem in it to fax himself documents from it because he couldn't get a printer to work.

Thanks for all the help guys... I knew the answer here. I had run into that issue before, but had forgotten.


I'm not that experienced with Apple devices, but I've heard (also confirmed by reading the current Apple Developer Policy) that you're not allowed to "ship your own browser engine". So Firefox on iOS just uses WebKit which means that it's using the OS TLS stack and the OS trust store (or whatever is used by Apples WebKit framework...).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.